Allowing DHCP Relay Traffic Through an ASA

tyc17afguy · ‎08-05-2015

Hello All,

I had a strange issue today where an ASA appeared to be blocking DHCP relay messages from a Cisco 3850. A review of the configuration did not show any obvious configuration issues however, I could not see DHCP messages using real-time log viewer. The setup was as follows:

Client--->2960X--->3850(L3)--->ASA--->DHCP Server

The 3850 had an ip-helper command on the vlan interface. Some vlan were not experiencing the issue while 2 were. I don't work with many customers running DHCP through their firewall so I decided to lab the setup in GNS3. So far I've been able to see DHCP relay messages make it to the DHCP server on a separate firewall interface, and see return traffic, but the DHCP Offer is not sent from the ASA to the client. Is there something I'm missing? I would assume a DHCP relay would be treated like normal unicast traffic unless the ASA has a built in rule to deny port 67. Or does a new inspect map entry need to be added? Any guidance is appreciated.

Thanks,

Traian Bratescu · ‎08-06-2015

Hi,

The only inspection required would be UDP.

I would assume that the first packet is allowed to pass?

packet-tracer input inside udp <vlan_ip> 67 <server_ip> 67

You could also make a capture to see were the packets get dropped (first on ingress interface and then on egrees interface).

You could use the following command to troubleshoot:

show asp drop

capture asp-drop type asp-drop all

Additionally, you could manually allow (on both interfaces of ASA) traffic on UDP 67 between the DHCP relay (Vlan IP interface towrds the clients) and the DHCP Server.

Traian